diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-06-18 08:57:12 +0000 |
---|---|---|
committer | Alexander Bokovoy <abokovoy@redhat.com> | 2013-07-11 12:39:25 +0300 |
commit | ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0 (patch) | |
tree | 2b0ac65d5c70b55d061b427804667cf66dd7e326 /ipaserver | |
parent | ec75348354a01fd332e047085942fb4a4476b184 (diff) | |
download | freeipa-ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0.tar.gz freeipa-ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0.tar.xz freeipa-ab96ca7831ad8ab2ee2389093ea8b9327d94d6f0.zip |
Check trust chain length in CA-less install.
https://fedorahosted.org/freeipa/ticket/3707
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/installutils.py | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 278240f1..a716525b 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -739,13 +739,20 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): [(server_cert_name, server_cert_trust)] = server_certs # Check we have the whole cert chain & the CA is in it - for cert_name in nssdb.get_trust_chain(server_cert_name): - if cert_name == ca_cert_name: + trust_chain = nssdb.get_trust_chain(server_cert_name) + while trust_chain: + if trust_chain[0] == ca_cert_name: break + trust_chain = trust_chain[1:] else: raise ScriptError( '%s is not signed by %s, or the full certificate chain is not ' 'present in the PKCS#12 file' % (pkcs12_filename, ca_file)) + if len(trust_chain) != 2: + raise ScriptError( + 'trust chain of the server certificate in %s contains %s ' + 'certificates, expected 2' % + (pkcs12_filename, len(trust_chain))) # Check server validity try: |